I.T. Security and Linux Administration

Aug 30 2012   1:43PM GMT

Python: Verify SSLv2 Is Not Supported

Eric Hansen Eric Hansen Profile: Eric Hansen

There are two versions of SSL that Python can use, v2 and v3, and it just depends on what OpenSSL supports when Python is built.  The latest builds of OpenSSL remove support for SSLv2 unless you explicitly tell it to keep such a thing, but with the security risks involved in SSLv2 it’s usually never a good idea to keep it.  As such, several Linux distributions have removed the support of SSLv2 in favor of the more (but still vulnerable) SSLv3.  There are still some systems, however, that do support SSLv2 in their default binary packages, such as Arch Linux.

If you’re building a program to support just that version of Linux, then that is fine.  But if you’re looking for it to support Debian or Fedora as well, for example, then you will run into issues.  The problem being is that if you distribute a pre-compiled version of your Python script (via using cx_freeze for example) from Arch Linux, it will not run in Debian or Ubuntu because it will default to using the SSLv2 information.  However, the system you’re running it on doesn’t have support for SSLv2 and so any HTTPS attempts will result in the program terminating itself (unless you have some error checking in place).

Resolving this issue can either be very troubling, or very easy, depending on how you want to handle it.  One way, which is the hardest, is to recompile OpenSSL on the development system (Arch Linux in this case) and make sure the binaries are compatible.  Not only is this a time consumer, though, but it’s also not guaranteed to be foolproof.  The other option is to perform some error checking, and I wrote a script just for that.

When the “ssl” module in Python is imported, it generates a list of supported protocols.  In that list is, if the system’s OpenSSL supports it, is SSLv2.  Below is a simple script that you can import into your program to see if SSLv2 is enabled or not:

    import ssl
    print “Unable to import SSL library into script. Compile Python with SSL support to use this.”
def check():
    found = 0
    for _,name in ssl._PROTOCOL_NAMES.items():
        if name == “SSLv2”:
            found = 1
    return found
If SSLv2 is supported then check() will return 1, otherwise it’ll return 0.  For the complete script (along with a simple doctest) you can visit the GitHub page here: https://github.com/SecurityForUs/PythonUtils/blob/master/ssl_test.py

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: